CVE-2025-66335

Vulnerability

Overview

CVE-2025-66335 describes an improper neutralization flaw in Apache Doris MCP Server versions prior to 0.6.1. The vulnerability resides in the query context handling within the MCP (Model Context Protocol) query execution interface. Due to insufficient input sanitization, an attacker can inject unintended SQL statements that bypass the server's intended query validation and access restrictions [1][2][3].

Exploitation and

Attack Surface

The attack vector targets the MCP server's tool-based interaction model, which is designed to execute database queries—including those generated from natural language via LLMs. The attacker does not require authentication beyond what is provided by the MCP client interface; the flaw allows the injection of malicious SQL through crafted queries that are not properly neutralized before execution. This can be done remotely over the network without any special privileges beyond access to the MCP endpoint [1][3].

Impact

Successful exploitation could allow an attacker to execute arbitrary SQL commands on the backend database, potentially reading, modifying, or deleting sensitive data. The vulnerability also enables bypassing the server's security controls, such as token-based authentication and role-based permissions, as the injected SQL is executed within the context of the MCP server's database connection [1][4].

Mitigation

The issue is fixed in Apache Doris MCP Server version 0.6.1, released on 2026-03-13 [4]. Users should upgrade immediately. Version 0.6.1 includes a centralized sql_security_utils module with comprehensive SQL injection prevention and over 2,500 lines of security test coverage [4]. No workaround is documented, and the vendor considers the previous versions affected from 0.1.0 up to (but not including) 0.6.1 [3].